Do you have your head in the cloud?

26 Jul Do you have your head in the cloud?

I use “clouds” as most people have inadvertently switched to using multiple cloud providers – each hooking you into their collective ecosystems. I seem to have acquired a few: Dropbox, iCloud, Microsoft Office 365 – then we have email and messaging: proton-mail, Gmail, Hotmail, signal, WhatsApp, Skype, Skype for Business (for some reason different to Skype – and incompatible, but hey who needs platform integration?), iMessage; code repositories or information services such as GitHub or LinkedIn … And then, because I need more clouds, I have additional mobile and social services too: Facebook and Twitter – you get the gist. I tend to use skewed personal data for the majority of these services – who really needs to know my real date of birth or other personal data?

It’s been a subtle shift to cloudy things – gradually adopting services that take your personal data and move it from being within your control to being owned and maintained within cloud service provider’s systems – all under varying terms and conditions. Of course, these cloud providers all merge, de-merge, acquire each other and generally move data between data centres and companies without having to seek permission from me, the supposed data owner.

Before I go any further, I should say I’m a geek – and that means I probably have more of these things than most people. Having conducted an extensive and thorough poll of nearly 6 of my friends and colleagues, it looks like most ‘normal’ people use a minimum of 8 distinct cloud services. Just think about that for a moment – 8 services with your personal data, 8 sets of ignored terms and conditions, 8 different companies accessing and making a profit from your data or meta-data. At the top level, the communications companies and carriers also make money from your communications meta-data (the stuff Teresa May, as Home Secretary, said was “unimportant”).

Let’s widen the net a bit – every major company with whom you transact or communicate will store your personal details in a customer relationship management system or order processing system. Many companies have migrated to cloud providers themselves. All of this data travels over public networks where, again, the communications companies and internet service providers dutifully capture your Internet history, along with the data about the associated networks of people or companies.

Do you still feel you’re in control of your data?

I mentioned before that we have a major issue with data loss: photographs and other ‘dynamically captured’ media being the worst for this (people using digital media to store photographs or videos of events, and then losing or abandoning the technology on which it was captured). I also argue that we have not only lost data, but we also end up with a vast amount of stale or downright inaccurate data about us sitting on systems we don’t even know exist.

As we head towards Brexit with the changes it will bring to regionalised data storage requirements, then add the introduction of the General Data Protection Regulation (GDPR), and combine this with the Investigatory Powers Act 2016, we start to see huge contradictory requirements in the management, ownership and visibility of our personal data. During a recent court case in Philadelphia, the judge demanded that Google hand over Gmail messages stored outside of the USA: “Though the retrieval of the electronic data by Google from its multiple data centres abroad has the potential for an invasion of privacy, the actual infringement of privacy occurs at the time of disclosure in the United States”, Judge Thomas Rueter.

I worry that with so much stale and/or inaccurate data about us floating around, we could end up being subjected to laws that prevent freedom of speech – the current legal framework in the UK suggests that any Government agency can obtain my entire Internet history – and use this to prosecute or cause problems without citizens having the right to challenge the data collected, its method of collection, or the manner in which it was subsequently processed (Section 56 of the 2016 Act). I can see a time when HMRC tax someone, or agencies remove benefits based on the contents of a series of stale or inaccurate private messages and simply saying (in response to a legal challenge) “we received information but we’re not obliged to identify the source”.

Companies need to address why they capture data – and assess how stale it is. The more copies of data, the more stale it becomes. I’d urge people to go back to the source whenever possible – if a company needs my personal details, I’d rather I provided it – my various profiles will give entirely different dates of birth or locations – perhaps an insurance company should ask me where I live before marketing “US-based insurance” deals to me.

I know my data’s in the cloud. I also know that most of that data has already passed its expiration date. Legislation has yet to catch up with the explosion of cloud services. International boundaries cease to exist and countries such as the USA can extract data outside of even the newest regulations, including GDPR (as shown in the Google case). How can the information commissioner actually determine where companies hold data or how relevant it now is?

My take on this – I need to take responsibility for my own data. I need to keep track of the services that use my data, and make sure they’re all up to date. In an ideal world, I’d like to be the source of that information and provide it to selected companies/organisations via two or three authorised brokers with well integrated data management frameworks. Update one or two systems and everything’s updated in a single hit. I can dream, right?

Engineer and design data systems properly: use source data where possible, reduce the number of copies of information, allow me to become schizophrenic when I need – and stop me losing control of my identity in the fog so I can enjoy the sunshine above the clouds!